cybersecurity vulnerability statistics

A cyber security vulnerability generally refers to a flaw in software code that allows an attacker access to a network or system. Vulnerabilities leave businesses and individuals open to a range of threats including malware and account takeovers.

There is a huge range of possible vulnerabilities and potential consequences to their exploits. The US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list currently has almost 150,000 entries. One well-known example of a cybersecurity vulnerability is the CVE-2017-0144 Windows weakness that opened the door for WannaCry ransomware attacks via the EternalBlue exploit. Another infamous case is the Mirai botnet that spread through the exploitation of multiple flaws.

Once vulnerabilities are discovered, developers typically work fast to release an update, or “patch.” Ideally, all users install the update before attackers have a chance to exploit the vulnerability. But the reality is that in many cases, attackers strike quickly to take advantage of a known weakness. Plus, even when a patch is released, slow implementation of updates means that attackers can exploit vulnerabilities years after they have been discovered.

In this post, we’ve rounded up the top cybersecurity vulnerability statistics and facts to be aware of as we head into 2021.

1. Over 18,000 vulnerabilities were published in 2020

The NVD database holds 18,362 vulnerabilities published in 2020. This is a higher number than in previous years (17,382 in 2019 and 17,252 in 2018).

2. More than one-third of external-facing web application vulnerabilities are considered high risk

Edgescan’s 2020 Vulnerability Statistics Report analyzed the severity of web application vulnerabilities. It found that more than 40 percent of internal application vulnerabilities are considered high or critical risk. It also found that over 34 percent of vulnerabilities in internet-facing applications are considered high or critical risk.

Vulnerability severity diagrams Edgescan.
Source: Edgescan

3. Organizations with 101–1,000 staff see the most high or critical-risk vulnerabilities

Edgescan’s report also broke down the severity of vulnerabilities according to company size. Smaller companies saw the lowest portion of high or critical risk vulnerabilities (three percent and 0.1 percent respectively), while medium-sized organizations with 101–1,000 employees saw the largest portion (13 percent of vulnerabilities are high risk and one percent are critical).

Risk density diagrams from Edgescan.
Source: Edgescan

4. The mean time to remediation (MTTR) is almost 85 days

According to Edgescan, the average time taken to remediate internet-facing vulnerabilities was 84.59 days. That time was slightly lower for internal vulnerabilities at 75.29 days.

5. The oldest vulnerability discovered in 2019 was 20 years old

Interestingly, Edgescan found a pretty old vulnerability that had been around since 1999: CVE-1999-0517. This affects Simple Network Management Protocol version 2 (SNMPv2), which is used for managing devices and computers on an IP network. The vulnerability can allow unauthorized SNMP access via a guessed community string. It had a base Common Vulnerability Scoring System (CVSS) score of 7.5 making it a high-severity weakness. Perhaps even more surprising was that this particular vulnerability had an occurrence rate of 1.75 percent.

6. The first critical vulnerabilities in a major cloud infrastructure were found in January 2020

In early 2020, Check Point researchers discovered and reported critical vulnerabilities in the Microsoft Azure infrastructure. According to the Check Point article detailing the vulnerability, researchers “wanted to disprove the assumption that cloud infrastructures are secure.” The vulnerabilities received the highest CVSS score of 10.0. The qualitative severity ranking of a score of 9.0-10.0 is “critical.”

These vulnerabilities enable malicious actors to compromise apps and data of users who utilize the same hardware.

7. More than 13% of vulnerabilities have a critical score

According to CVE Details, out of roughly 123,000 vulnerabilities, more than 16,000 have a CVSS score of 9.0–10.0. That said, the vast majority (77 percent) have a score between 4.0 and 8.0.

CVE Details graphs.
Source: CVE Details

8. 80% of attacks in H1 2020 used vulnerabilities that were at least two years old

According to the Check Point Cyber Cyber Attack Trends: 2020 Mid-Year Report, in the first six months of 2020, four out of five attacks took advantage of flaws that were reported in 2017 or earlier. And 18 percent of attacks utilized vulnerabilities that were disclosed in 2013 or before, making them at least seven years old.

Attacks involving cybersecurity vulnerabilities by disclosure year.
Source: Check Point

9. Users of 9 out of 10 web applications are vulnerable to hacking attempts

A February 2020 report from Positive Technologies tells us that 90 percent of web applications can be attacked by hackers. Attacks include stealing credentials, infecting devices with malware, and redirecting users to resources controlled by hackers.

10. The number of web applications with high-risk vulnerabilities dropped in 2019

On the bright side, the Positive Technologies report found that in 2019, there was a significantly smaller portion of web applications with high-risk vulnerabilities. More than two-thirds of websites had high-risk vulnerabilities in 2018, but that figure dropped to 50 percent in 2019.

Graph of high-risk applications in terms of cybersecurity vulnerabilities.
Source: Positive Technologies

11. High-risk vulnerabilities are present on the network perimeters of 84% of companies

A more recent study from Positive Technologies uncovered the alarming statistic that 84 percent of companies have high-risk vulnerabilities on their external networks. It also found that more than half of these could be removed simply by installing updates.

Severity of cybersecurity vulnerabilities.
Source: Positive Technologies

12. More than one in four companies are still vulnerable to WannaCry

Positive Technologies also found that 26 percent of companies remain vulnerable to the WannaCry ransomware as they have not yet patched the vulnerability it exploits.

13. The highest-earning vulnerability for bug bounty hunters is XSS

Hacker One research found that during the period of May 2019 until May 2020, cross-site scripting (XSS) weaknesses earned the most for bug bounty hunters with financial rewards totaling over $4.2 million. Rounding out the top three weakness types was improper access control and information disclosure.

14. The most profitable industry for bounty hunters is computer software

When it comes to which industries earn the most for bounty hunters, computer software weaknesses are the highest earners by quite a significant amount. The average bounty payout for a critical vulnerability is around $5,754. The electronic and semiconductor industry pays $4,633 per critical vulnerability and the cryptocurrency and blockchain field pays about $4,481.

Graph of cybersecurity vulnerability bounty payouts.
Source: Hacker One

15. “80% of public exploits are published before the CVEs are published”

A report published by Palo Alto Networks in August 2020 found that 80 percent of studied exploits were made public before their related CVEs had even been published. Perhaps more concerning is the length of time that passes between publish dates. On average, exploits are published 23 days before their respective CVEs. As noted in the report:

“As a result, there is a good chance that an exploit is already available when the CVE is officially published – illustrating one more way that attackers are too often a step ahead of security professionals.”

16. More than 20,000 WordPress vulnerabilities have been detected over the past 7 years

The number of new vulnerabilities has been increasing steadily since WPScan first started tracking in 2014. More than 4,000 new vulnerabilities were discovered in 2020, more than in any other year.

WP cybersecurity vulnerabilities.
Source: WPScan

17. In Q2 2020, zero-day exploits were involved in over 67% of malware

Watchguard’s Internet Security Report – Q2 2020 tells us that in April–June 2020, it observed more than 10 million zero-day malware detections, accounting for more than two-thirds of all threats.

18. Microsoft saw a surge in vulnerabilities in H1 2020

According to RiskBased Security’s Mid-Year Report, Microsoft saw a huge increase in the number of detected vulnerabilities with an increase of 150 percent in H1 2020 compared to the previous year. With 762 vulnerabilities by June 2020, it topped the list of the top 10 vendors in terms of the number of vulnerability disclosures. It was previously in ninth place on this list. Windows 10 is the product with the most vulnerabilities (478).

Vendors with the most cybersecurity vulnerabilities.
Source: RiskBased Security

19. Over 75 percent of applications have at least one flaw

Veracode’s State of Software Security Report Volume 11 released in October 2020 found that more than three-quarters (75.2 percent) of applications have security flaws. That said, only 24 percent of those are considered to have high-severity flaws.

20. Information leakage flaws are the most common

Veracode also tells us that the most common types of flaws are information leakage, CRLF injection (where an attacker injects unexpected code), cryptographic issues, code quality, and credentials management.

21. One in four flaws are still open after 18 months

A fairly alarming finding from the Veracode report is that after a year and a half, around 25 percent of flaws are still open.

Graph of open flaws.
Source: Veracode

22. Frequent scanning correlates to much faster remediation time

Veracode did find that applications that scanned for flaws regularly saw much faster average remediation times. Those with 260+ scans per day remediated 50 percent of flaws within 62 days. That time was extended to 217 days for applications running just 1–12 scans per day.

Cybersecurity vulnerability remediation time.
Source: Veracode

23. Google has paid $21 million in bug bounties since 2010

Google’s Vulnerability Reward Program (commonly referred to as a bug bounty program) rewards researchers for discovering and reporting bugs in the company’s software. In 2019, it paid out 6.5 million in rewards in 2019 and $21 million since 2010 (not including 2020 numbers which are yet to be released). 461 researchers have been paid bounties, with the largest single award amounting to $201,000.

24. Microsoft paid almost $14 million in bug bounties in one year.

In a similar vein, Microsoft rewards researchers that spot and report bugs in its software. In an August 2020 review, the company reported it had paid $13.7 million in bug bounties in the past 12 months. This is more than double the amount Google paid out in 2019. In total, 327 researchers were awarded with the largest award amounting to $200,000.

Microsoft bounty programs infographic.
Source: Microsoft

25. Facebook has awarded almost 7,000 bounties since 2011

A November 2020 report by Facebook tells us that since its bug bounty program began in 2011, the company has received over 13,000 reports and awarded 6,900 bounties. At the time of the report, 2020 bounties totaled almost $2 million. Around 17,000 reports had been received and more than 1,000 bounties awarded. Its highest bounty to date is $80,000.

26. Unpatched vulnerabilities were involved in 60% of data breaches

According to a 2019 Ponemon Institute Vulnerability Survey:

“60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.” However, an even higher portion (62 percent) claimed they weren’t aware of vulnerabilities in their organizations prior to a breach.